Yesterday, Microsoft’s Dick Craddock posted a blog entry describing a new feature that was recently added to Hotmail. This feature allows users to easily report when they think a friend’s email account has been hacked. Overall, this is quite a clever idea and a good move from Microsoft toward better securing its Hotmail service. This announcement comes hot on the tail of a publication of a report that shows that spammers are switching to using compromised accounts instead of directly sending mail from bots.
The idea behind the feature is that when an account is compromised, it is often used to spam the compromised user’s friends. This new system allows those friends to act as an early warning system in addition to Hotmail’s other account compromise detection features. Hotmail will even send notifications to Gmail and Yahoo!’s mail team if they find out that accounts from those providers have been hacked.
It’s very positive to see steps like this being added by online mail providers and I wouldn’t be surprised to see other providers follow suit. Microsoft is also enhancing its weak password detection in order to force users to use stronger passwords. This is also a good idea, as it will help protect users against attackers who manually guess their passwords but will be less effective at stopping account compromises from malware. Most modern data-stealing malware will intercept all Web passwords and send these back to the attacker so, unfortunately, it does not make much difference if your password is 123456 or if it looks like a cat ran across your keyboard.
While we’re at it, here are some other neat Webmail security features you may not have been aware of:
- Hotmail allows users to use a single-use code to log in when they are logging into the site from an untrusted machine (e.g., an Internet cafe, a public shared machine, a hacker friend’s laptop, etc.). There is a link just below the Sign in button on login.live.com.
- Gmail provides the option of using two-factor authentication, which requires you to have access to your phone in order to log in. This means that an attacker would need to have physical access to your phone in addition to your account details in order to access your account.
- Earlier this year, I wrote a blog entry advising users to lie when filling out their password recovery questions. Password recovery questions can still be one of the weakest links in ensuring Webmail security.
What will be interesting to see is how attackers respond to this move, especially if other providers copy Hotmail. It will force attackers to use a different approach to whom they spam from a compromised account. This is obviously a cat-and-mouse game, with the security industry gaining an upper hand for sometime before the balance flips back and forth between the two. But any technology that makes the lives of cybercriminals more difficult and directly cuts into their bottom line is definitely a welcome one in my book.